dnscache: fix eval and start

This commit is contained in:
Sandro - 2024-04-18 21:59:29 +02:00
parent 721e6959b3
commit 62fae6a546
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5

View File

@ -7,7 +7,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
listenPlain = [ "0.0.0.0:53" "[::0]:53" ]; listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
extraConfig = /* lua */ '' extraConfig = /* lua */ ''
modules = { modules = {
'http', -- 'http', -- module 'cqueues' not found
'policy',
'predict', 'predict',
'prefill', 'prefill',
'serve_stale < cache', -- servce stail records while refreshing the record 'serve_stale < cache', -- servce stail records while refreshing the record
@ -18,8 +19,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
cache.size = 500 * MB cache.size = 500 * MB
cache.min_ttl(60) cache.min_ttl(60)
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' }) -- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
http.prometheus.namespace = 'resolver_' -- http.prometheus.namespace = 'resolver_'
-- dns42 -- dns42
policy.add(policy.suffix( policy.add(policy.suffix(
@ -35,19 +36,21 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
-- size.dns.localZones -- size.dns.localZones
policy.add(policy.suffix( policy.add(policy.suffix(
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}) policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}),
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}}) policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
)) ))
-- forward to dns caches -- forward to dns caches
policy.add(policy.slice( -- TODO: package psl
policy.slice_randomize_psl(), policy.add( --policy.slice(
policy.all(
--policy.slice_randomize_psl(), -- lua-psl is required for policy.slice_randomize_psl()
-- quad9 -- quad9
policy.TLS_FORWARD({ policy.TLS_FORWARD({
{'2620:fe::fe', hostname='dns.quad9.net'}, {'2620:fe::fe', hostname='dns.quad9.net'},
{'2620:fe::9', hostname='dns.quad9.net'}, {'2620:fe::9', hostname='dns.quad9.net'},
{'9.9.9.9', hostname='dns.quad9.net'} {'9.9.9.9', hostname='dns.quad9.net'}
}) }),
-- cloudflare -- cloudflare
policy.TLS_FORWARD({ policy.TLS_FORWARD({
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'}, {'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
@ -55,7 +58,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
{'1.1.1.1', hostname='cloudflare-dns.com'}, {'1.1.1.1', hostname='cloudflare-dns.com'},
{'1.0.0.1', hostname='cloudflare-dns.com'} {'1.0.0.1', hostname='cloudflare-dns.com'}
}) })
}))) ))
-- allow access from our networks -- allow access from our networks
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [ '' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
@ -72,8 +75,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56" "2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
# flpk # flpk
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow" "${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
] + /* lua */ '' ] + "\n" + /* lua */ ''
-- drop everything that hasn't matched -- drop everything that hasn't matched
view:addr('0.0.0.0/0', policy.all(policy.DROP)) view:addr('0.0.0.0/0', policy.all(policy.DROP))
@ -82,14 +84,14 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
predict = { predict = {
window = 15, -- sampling window window = 15, -- sampling window
period = 24*(60/15) -- track last X hours, divide through sampling window period = 24*(60/15) -- track last X hours, divide through sampling window
}, }
prefill.config({ -- prefill.config({
['.'] = { -- ['.'] = {
url = 'https://www.internic.net/domain/root.zone', -- url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds -- interval = 86400, -- seconds
} -- }
}) -- })
''; '';
}; };
} }